Strange email (spoofing?)

Got a few different email accounts, and just got an email sent to my Hotmail account from my Yahoo Account. Subject was just my name, and had some dodgy link which i didnt click. I looked and a few other addresses were copied into the message (from what i can see, websites ive used to buy things from using that email address).

Anyway went into my Yahoo account and got a few "delivery failed" messages which were the email addresses copied in that are probably no longer active. No sign that my Yahoo account has been hacked and PC scan is clean.

Few weird things tho - Dunno how they got my password. Its unique to just that email address and isnt used for anything else, PC is clean and plus i hardly type it in as its auto log in. Email wasnt sent to all contacts but only a few (plus a fake email address ive never heard of). Normally they just mass email the whole contact list. Nothing in sent or deleted items (i know these can be deleted tho)

Re: Strange email (spoofing?)

I've now received a whole series of Spamvertised links within emails from Yahoo users, but strangely, I've also recevied them from multiple BT Internet users...
BT Internet uses the Yahoo email system.

Some of the BT Users are people I know wouldn't fall for phishing.

I've had 100's of these emails hit my servers over the past 3 days when it first started from over 50 different yahoo accounts.

I've got a Yahoo account myself, and have had a quick look but nothing there so far.
In a previous security breach, the hackers would login to your Yahoo account, send the email and you could see it in your "Sent" folder.
A later version of the hack would delete the message from your "Sent" folder to try and hide it, but you could then find it in your "Trash" folder.

If you have a Yahoo account, it is worth changing the password to a strong/secure password, and keeping an eye on the Sent/Spam folder.

If you start seeing emails in your inbox from "mailer-daemon" or a bunch of returned/blocked emails, it's a good bet your own account has been compromised...

I get the feeling we are going to be reading about this in the news later this week...

Evernote had to do a mass reset of 50Million user account passwords yesterday when they detected a security break into their servers...
It seems the bad guys are having a push on hacking accounts at the moment..

The bulk of the emails I've received on my servers are originating from Romania/India with a few spread elsewhere. It appears that they are being sent out by a rather large botnet.

I am not 100% convinced that these accounts have been compromised by brute force dictionary attacks/phishing... I definitely smell a security hack at Yahoo...

Re: Strange email (spoofing?)

I did a bit more research, it appears to be linked to a known XSS vulnerability that Yahoo alllegedly fixed a month ago... Perhaps not.
It relies on Yahoo (and therefore BT) users clicking on that link in the email.

I'm still not convinced it's a bit more sinister.. Another contact of mine has just been hacked and he swears blind he hasn't even opened his Yahoo/BT email in months and he definitely hasn't clicked on any links (And he uses Firefox and NoScript so the above exploit would not have worked in his case).

I just deleted all of my contacts from my Yahoo account and added a couple of honey traps to see if they pick up anything...

Re: Strange email (spoofing?)

I have connections with a charitable group and have received a couple of emails CC'd to many other members of the group. These are similar to the above and contain nothing but a link which led in one case to a magazine, in the other to a company site, both in the US and both apparently genuine. My mail is with BT/yahoo.

One of the emails resolves to Hanoi, Vietnam, the second to Indonesia, the third to India. Probably all spoofed. So what's going on here? If we click on the links does this simply confirm our addresses to the senders for spam or malware? I've done a full scan but Kaspersky sees nothing amiss.

Re: Strange email (spoofing?)

Strange. My Dad got an email from a Vicar he had contacted asking for money as she was stuck in the Philipinnes. It was a Yahoo email but hers was a blueyonder address. This was last week seems Yahoo is the scammers choice. He tried to phone her to warn her but just had to leave a message on her answer machine.

Re: Strange email (spoofing?)

virus just seems an excuse to shift blame from them onto us. No way a virus would just steal Yahoo account details and sent out the spam over a few days like we're seeing. Too many effected too quickly

Re: Strange email (spoofing?)

I think this is too big to be users PCs getting hit. This forum, the BT one linked and another i use have had these spam emails sent to contacts over the last few days. Yahoo you can see where login attempts have been made, and people are seeing their account accessed from all over Europe.

Seems specific to BT/Yahoo service and going on recent high profile security breaches i would guess this is another one

Re: Strange email (spoofing?)

104 posts on the BT customer forum in 48 hours -- yet BT and Yahoo are still silent. However, just tried to log into Yahoo mail and got the following:

We are undertaking some essential, but extensive maintenance to improve Yahoo! Mail. During the maintenance period, some users may experience problems accessing Yahoo! Mail. We sincerely apologize for this inconvenience. Your account is in great shape and we are working to have it available again as quickly as possible.

Re: Strange email (spoofing?)

This happened to 2 of my yahoo accounts also (i have 3 in total). I've not clicked on any spam link. I scanned my pc will full scan setting with both Avast and malwarebytes and both came up clean.

In my situation they seemed to spam email and CC me a copy too. As someone else stated they seem to spam a few email addresses. Some are valid friends emails and some seem to be made-up.

I changed my passwords on both accounts. Nothing since, though unfortunately some of my friends who were on spam list, tried to spam me back.

The commonality of all this does suggest that the yahoo mailing system is the common de-nominator. I suspect that they were compromised on a big scale and instead of telling people, admitting they were at fault, they have kept their head down since nothing happened immediately. Now it seems it as.

Re: Strange email (spoofing?)

I just followed these instructions http://help.yahoo.com/kb/index?locale=en_US&y=PROD_A... to see the recent yahoo login activity of the email account and on mine someone from poland logged in on march 5th. At first via Yahoo! Mobile and then via the browser at 20:12. I logged back in 12 minutes after he did. It's worth a look though. I wish the history went back further though. I'm sure my 2nd email was compromised too but it only goes back to when I logged back in. So I cant see the offending hackers details.

Re: Strange email (spoofing?)

This has never stopped. Never even really died down. These messages from yahoo accounts have continued ever since it was first reported. Then the same has more recently been happening with BT email accounts.
News the other day that BT is separating itself away from using Yahoo. I'm assuming this email spam situation is at least part of the reason.
FWIW, it seems that the problem lies on the yahoo / BT email servers, and that the spam is not directly coming from individuals' PCs.

Re: Strange email (spoofing?)

This has never stopped. Never even really died down. These messages from yahoo accounts have continued ever since it was first reported. Then the same has more recently been happening with BT email accounts.
News the other day that BT is separating itself away from using Yahoo. I'm assuming this email spam situation is at least part of the reason.
FWIW, it seems that the problem lies on the yahoo / BT email servers, and that the spam is not directly coming from individuals' PCs.

OK then, what is the perceived wisdom on the course of action that should be taken when you discover you are a victim?

Re: Strange email (spoofing?)

One thing worth mentioning is that sometimes an email which purports to come from a particular account hasn't. If a friend of the account holder gets their email account and address book hacked, the emails sent out by the hacker may be sent with the identity of anyone in the address book.

They usually spam others in the same address book on the basis that two people whose email addresses are in the same address book are more likely to know each other and therefore view emails with less suspicion.

I used to get emails apparently from my own email account but that was impossible. Looking at the full email headers showed that the emails didn't come from any of my mail servers but it was just my address which was being used by a third party sent via a hacked PC.

I've now put a stop to these sort of emails by specifying which email servers may send email from my domain (SPF record for the curious). Anything sent from an unauthorized server is rejected. Some email providers also use SPF to filter out incoming messages dropping those which come from places they shouldn't.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Re: Strange email (spoofing?)

The latest thinking going on the BT thread about this issue, is that Yahoo arent actually getting hacked every single time, and instead its some unknown security flaw in Yahoo's servers that means they can get access to your account even without knowing the password.

Re: Strange email (spoofing?)

I did get to the stage a while back of nearly blocking all incoming email from Yahoo as it was almost all spam and, worse still, it's near impossible to report spam abuse to Yahoo. Reports sent to abuse@yahoo.com and abuse@yahoo.co.uk fail (a breach of RFC 2142).

I raised the issue with Yahoo UK, got an acknowledgement and then nothing. Yahoo doesn't take abuse originating from its servers seriously.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat